Decentralized computing systems and methods for performing actions using stored private data
Abstract
It is typically difficult for a user to have any awareness of which private data is being used by a third party and to control the flow of the private data to the third party. A computing system is provided with a trusted node that stores encrypted private data. When the third party wishes to obtain information types from the user, the trusted node generates a scope document that specifies the requested information types. This scope document is sent to the user device as a challenge. The user device uses the scope document to display the requested information types, and the user provides input to permit providing the information types to the third party. The user device returns a signed challenge response, which includes the scope document. The trusted node then decrypts the encrypted private data, which corresponds to the requested information types, for the third party.
Claims
exact text as granted — not AI-modified1 . A computing system designated as a trusted node, comprising:
a communication system configured to communicate with a user device, a relying party system and a blockchain network of nodes; a memory that stores at least one or more obfuscated subject data (SD′) parcels; and a processor system that executes executable instructions comprising: computing a challenge using a scope document specifying one or more types of information in one or more subject data (SD) parcels, wherein the challenge is a function of the scope document and a random nonce; transmitting the challenge to the user device to initiate an authentication process; receiving a signed challenge response from the user device; verifying the signed challenge response, which comprises verifying the signed challenge response comprises the scope document; and, if the signed challenge response is verified, computing one or more One Time Pads (OTPs) using multiple decryption shares obtained from the blockchain network of nodes, wherein the one or more OTPs correspond to the one or more obfuscated SD′ parcels; using the one or more OTPs and the one or more obfuscated SD′ parcels to compute the one or more SD parcels; and transmitting the one or more SD parcels to at least one of the user device and the relying party system.
2 . The computing system of claim 1 wherein the signed challenge response comprises the scope document, the nonce and a digital signature signed by a private key stored on the user device, and a corresponding public key is stored on the memory of the computing system that is used to verify the digital signature.
3 . The computing system of claim 1 wherein the signed challenge response comprises the scope document, the nonce and a digital signature signed by a Fast Identity Online (FIDO) private key stored on the user device, and a corresponding FIDO public key is stored on the memory of the computing system that is used to verify the digital signature.
4 . The computing system of claim 1 wherein the scope document further comprises identity data of the relying party system that is requesting the one or more subject data parcels.
5 . The computing system of claim 1 wherein the scope document comprises usage data of the subject data parcels.
6 . The computing system of claim 1 wherein the processor previously computed the one or more obfuscated SD′ parcels using the one or more OTPs and the one or more SD parcels.
7 . The computing system of claim 1 wherein a given SD parcel computed from a given OTP and a given obfuscated SD′ parcel comprises the given SD parcel=the given obfuscated SD′ parcel⊕the given OTP.
8 . The computing system of claim 1 wherein the memory further stores a public key of the relying party system, and the one or more SD parcels are transmitted in encrypted form; and the executable instructions further comprise: encrypting the one or more SD parcels using the public key of the relying party system to output SD RP ; and transmitting SD RP to the relying party system.
9 . The computing system of claim 1 wherein each one of the multiple decryption key shares is initially encrypted using a public key of the trusted node, and the computing system decrypts each one of the decryption key shares using a private key of the trusted node, which corresponds to the public key of the trusted node.
10 . The computing system of claim 1 wherein processor combines the decryption keys shares to compute the OTP.
11 . The computing system of claim 1 wherein the one or more types of information specified in the scope document are displayable via a graphical user interface on the user device.
12 . The computing system of claim 1 wherein the signed challenge response, which comprises the scope document, is used to create a record of the user device providing authorization to the relying party system to obtain the one or more types of information specified in the scope document.
13 . The computing system of claim 1 wherein different ones of the one or more SD parcels correspond to different types of information.
14 . The computing system of claim 13 wherein at least one of the SD parcels comprises a user name and another one of the SD parcels comprises an address.
15 . The computing system of claim 13 wherein at least one of the SD parcels comprises a user name and another one of the SD parcels comprises a photograph.
16 . A user device, comprising:
a communication system configured to communicate with a trusted node and a relying party system; a display device; a memory that stores at least a user agent, comprising at least one of a browser and a native application; a secure element that stores at least a private key; a biometric scanning device; and a processor system that executes executable instructions comprising: receiving a challenge from the trusted node, wherein the challenge comprises a scope document specifying one or more types of information in one or more subject data (SD) parcels, which are requested to be obtained by the relying party system; displaying the one or more types of information via the user agent in a graphical user interface on the display device; receiving a confirmation user input to provide the one or more types of information; after using the biometric scanning device to authenticate a user of the user device, using the private key to digitally sign a challenge response, wherein the challenge response comprises the scope document.
17 . The user device of claim 16 wherein the challenge is a function of the scope document and a random nonce; and wherein the signed challenge response is a function of the scope document and the random nonce.
18 . The user device of claim 16 wherein the private key is a Fast Identity Online (FIDO) private key stored on the secure element, and a corresponding FIDO public key is obtainable by the trusted node.
19 . The user device of claim 1 wherein the scope document further comprises identity data of the relying party system that is requesting the one or more subject data parcels.
20 . The user device of claim 1 wherein the user agent communicates initially with the relying party system to complete an action that uses the one or more SD parcels, which initiates the user device receiving the challenge from the trusted node.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.